How to create strong passwords, and why you should care.
There are a number of irritating things experts insist you must do for your own good: eat nine servings of veggies a day; maintain a diverse retirement portfolio; check your transmission fluid every month. Most of us ignore a lot of this advice, because there’s no end to it, and our lives are complicated enough.
As a habitual good advice ignorer myself, I realize that when I tell you I’m here today to talk about passwords, you’ll want to tune me out. But wait! Good password hygiene is more important than flipping your mattress.
Think of your passwords as keys to your online house. You wouldn’t have the same key unlock your house, your office, your car, and your safety deposit box, would you? So why would you use the same password for your blog, PayPal, your bank’s website, your email, and any number of other sites and online services?
Yet many people do. And just as you wouldn’t lock up your house with a sailor’s knot, why would you lock up your blog with your easily guessed pet’s name?
Password Dos and Don’ts:
- DO use strong, long passwords.
- DO use a different password for each account.
- DO invest in a password manager.
- DON’T write your passwords down, email them, or share them with anyone.
- DON’T forget to log out on shared computers.
- DO enable two-step authentication where available.
It’s extremely important to protect yourself online. Were a hacker to crack your WordPress.com password, they could permanently delete everything on your blog before you even knew they were in it, and as devastating as that would be, it’s nothing compared to the pain of identity fraud.
Not to alarm you — at WordPress.com, we monitor potentially harmful activity to ensure there is no unauthorized access to your content, and we take security very seriously. Even so, it’s important that you protect yourself as well. Here’s how:
Create strong passwords
When I say strong, I don’t just mean difficult for a person to guess. (I’d hope that all of you know better than to use one of these 25 most-used passwords.) Hackers use computer programs to break passwords, so even if your selected password is bizarre or random, that doesn’t mean it’s strong enough.
Many login forms prompt you to create a password of random letters, numbers, and symbols. But such a password (for example, jal43#Koo%a) is actually very easy for a computer to break. The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and hackers are continually improving their efforts.
Instead, try using four or more random words in a long string, or passphrase, as described in this comic from xkcd.com:
Use unique passwords and a password manager
Now that you have your strong passphrase, don’t turn around and use the same one for all of your sites. You should use a unique password for every, single site that you log into online.
Naturally, it’s difficult, if not impossible, to remember all of those different passwords, though. And you should never store your passwords in a text document on your hard drive, or write them down on a piece of paper, as these methods are kind of like putting all of your money into a shoebox and locking it in the trunk of your car.
Instead, use a password manager, such as LastPass, 1Password, or one of the additional password managers we suggest here. With a password manager, you need only remember one single strong master password. That password will unlock the password manager, which will integrate with your browser to unlock all of your online services without your having to remember any of them.
Not all are free, and it might be an afternoon’s time investment to put all your passwords into the password manager (not to mention change your existing weak passwords to stronger ones), but it’s time and money very well-spent.
Additionally, if you ever use a shared computer, be sure to explicitly log out of all of your accounts before leaving it. Browsers sometimes remain logged into websites for convenience, and you don’t want your account to be accessible to the next person who comes along.
Warning! Never, ever email your password to anyone, even support staff of the online service you’re attempting to use. If anyone ever asks you to provide them with a password over email, you should be very suspicious and should probably refuse.
And finally, many services (including WordPress.com) are now providing two-step authentication, which sends a code to your mobile phone when you log in. This is very secure, because a remote hacker will not have access to your mobile device and so even if your password is cracked, two-step ensures that your account stays safe.
I hope that I’ve convinced you to start taking steps to improve your online security. It’s a hassle, sure, but as with most annoying good advice, it becomes easier to follow the more you make a habit of it. Now, go eat some broccoli!